They are what are called reverse VPNs.

They hide the actual server of the website, and fetch from that server whenever the user asks for content from that server. The basic idea is that if there is an actual DDOS attack, Cloudflare’s servers take the brunt of the attack. Cloudflare is big enough that it can handle a DDoS attack. This is why it has you wait 5 seconds sometimes, Cloudflare thinks you may be DDoSing so it will ask you wait a few seconds before it queries the server to not overload the server.

In some sense its an insurance policy, you handle a DDoS attack by having enough computing resources to be able to manage all the requests, most companies cannot afford such resources to defend against attacks that happen once in a blue moon, but when they all band together under a company like Cloudflare, DDoS attacks on at least one of them happen enough to justify the cost being split among all its users.

CloudFlare is a fancy Reverse Proxy server.

Basically, you never actually touch the web server. You only ever touch a CloudFlare edge server. That CloudFlare edge server requests the content from the web server on your behalf.

CloudFlare knows how much the host can handle, so if it thinks it’s going to start overwhelming the host, it slows down how quickly it sends those actual responses. It can either do this by showing you a page where it’s just waiting, or it can give you a CAPTCHA prompt to try and reduce bot activity.

Trying to go for a real ELI5:

Imagine a really really big bodyguard for a celebrity. Normal people can ask the bodyguard to go talk to the celebrity and the bodyguard will let them through.

However, if the bodyguard notices someone charging at the celebrity the bodyguard can step in the way and take the blow so they don’t reach the celebrity.

The bodyguard is Cloudflare and the website is the celebrity

Imagine you’re at the renaissance fair.

Imagine that there’s a problem at the gate.

They might have to temporarily stop letting people in, but still be able to keep the rest of it running.

I have it on decent authority they use a product called Arbor.

[https://www.netscout.com/arbor](https://www.netscout.com/arbor)

There are a couple of techniques that are well known for use with DDOS, things like a DNS amplification attack. Even if you run a large network, it is really hard for you to mitigate an attack like that. If you are the size of cloudflare or one of a few American ISPs, you actually can. Arbor devices sit in line with the traffic and can initiate a mitigation in under a minute. It is smart enough to know “those 10,000 dns responders shouldn’t act that way because they haven’t for the last three years”. That traffic is quietly dropped by devices running multiple 100Gb network interfaces, at present there is not enough traffic on the internet to swamp the trunks headed into the arbor devices. This is all very expensive, the kind of routers that feed an Arbor devices are like $90,000 or more. So the senders send all this traffic, but cloudflare drops it, the cloudflare customer barely notices anything happened.

Others have responded that cloudflare can mitigate the endpoint with something called a ‘captcha’, which is true, but a true DDOS attack will quickly overwhelm that. They can literally swamp network port with traffic sourced from across the world. The system can’t throw enough CAPTCHA’s up, and even if it could, each of those sessions takes up bandwidth. Eventually, the server ends up doing nothing but denying / refusing connections. That IS a successful DDOS attack, you overwhelmed the target with traffic. The only way to fix that is to drop the traffic well in advance of it getting to any kind of cloudflare instance.

Cloudflare and other hosting services prevent DDoS attacks by acting as a shield, redirecting malicious traffic away from the targeted website and filtering out suspicious requests.